Because it's done backwards , Lead to some payload You can kill them all , Not conducive to new learning . I hope you can give us some other methods .
The log contains passable information , stay UA Write a sentence in , And then include the log file directly /var/log/nginx/access.log
data False agreement is acceptable ,
According to the author's idea, we must include flag.php And then it goes straight to output flag
The suffix is limited , We can try pseudo protocol , Because you can't have flag, therefore filter Agreements and php://input It doesn't work .
Finally, I tried data agreement , It's a success .
payload c=data:text/plain,<?php system('cat f*')?>
This is equivalent to implementation php sentence <?php system('cat f*')?>.php
Because of the front php The statement is closed , So the back one .php Will be taken as html The page is displayed directly on the page , It doesn't work .
Specific practices can be referred to below GXYCTF The ban on dolls
If you look at the next question carefully, you will find that the filtering is not English brackets , It's Chinese brackets .
So the basic command can be used , But it's sad that the quotation marks are gone , The dollar sign is gone .
1, utilize session
At first I wanted to use it session_id(), First of all, I'll revise it cookie In PHPSESSID The content is ls
Then type in c=session_start();system(session_id()); Found to be executable .
And then it's changed directly to c=session_start();highlight_file(session_id());
then PHPSESSID Change the value of to flag.php Then something went wrong .
After testing, it is found that , suffer php Version impact 5.5
-7.1.9 All can be executed , because session_id Stipulated as 0-9,a-z,A-Z,- Characters in . stay 5.5 Below and 7.1 None of the above can write anything else . But characters that meet the requirements are OK .
So we can find another way , If there is a master sessionid Do it , I hope the comments below correct my above statement .
2, read file + Array transformation
First payload write down highlight_file(next(array_reverse(scandir(pos(localeconv())))));
localeconv()： Returns an array containing local numeric and currency format information . The first one in the array is the dot (.)
pos()： Returns the value of the current element in the array .
array_reverse()： Array reverse order
scandir()： Get the files in the directory
next()： Function points the internal pointer to the next element in the array , And output .
First of all pos(localeconv()) Get the dot , because scandir(’.’) Indicates to get the files in the current directory , therefore
scandir(pos(localeconv())) You can get it flag.php It's over . The details are as follows
Our purpose is clear , Get the penultimate element . Just reverse the array order and adjust the pointer to the next one .